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1 . 


Introduction 


This document is the second in a two-part collection that describes a general-purpose 
Requirements Specification Language, RSL. The RSL language and supporting toolset are 
described in detail in Reference 1 . Presented here is an extended example of RSL use. The 
example is a partial requirements specification for an Advanced Subsonic Civil 
transport (ASCT) Fight Control System. The example has been adapted from requirements 
given in a NASA Contractor report (Reference 2). 

It is important to note that large examples such as this should be viewed using the 
computer-based RSL browsing tools. These tools are described in a companion document. 
The sequential text form of the Example presented here is the formal base specification that 
is input to the RSL browsers. While it is possible to read the specification sequentially, it 
is intended to be viewed online via the browsers. 

When using the RSL browsers, a number of indices are available to facilitate "navigation" 
through a large specification. The browsers also support hypertext linking and graphical 
views of a specification. The current implementation of the browsing tools does not 
provide the means to generate the indices in a textual form suitable for inclusion in a hard- 
copy document. Hence, the textual form of the example that follows does not include the 
online browser indices, or any of the hypertext or graphical information that is available 
online. 

2 . RSL Definition ASCT 

The text of the requirements specification is given in Appendix A. 
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Appendix A: Formal Requirments Specification 




Requirements Specification for an 
Advanced Subsonic Civil Transport (ASCT) 

Fight Control System 

Adapted from requirments given in NASA Contract report NAS1-18586, 
August 1989, G. C. Cohen and R E. McLees authors. 

(referred to subsequently to as "ASCTl") 


The specification is organized into the following modules: 

FlyMission, Crew, Aircraft, Navigate, ControlMissionFlight , 
ControlAerodynamicBraking, ControlLif tConfiguration, 
ControlPitch, Flight Con trolSystemPitchFunct ions , 
ControlRol 1 , FlightControlSystemRollFunctions, 
ControlYaw, FlightControlSystemYawFunct ions , 
FlightControlSystem 




k 

k k k k 
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★ * * * * i 




* FlyMission is the top-level module of the system. It is derived from the 

* material on ASCT1 pages 9-15. 

irickkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk'j 


module FlyMission; (* from pg 13 *) 


import Navigate , ControlMissionFlight ; 

export Mission, TargetFlightPath, ActualFlightPath, ExternalForcesOnActuator ; 

(*** These three field definitions are from Table 1 on page 15. ***) 
define object attribute control_act ion , driver, control_system_requirement ; 


object Mission is 

components: TaxilnOut and TakeOff and Climb and Cruise 

and Descent and Approach and Landing and AltitudeRange 
and MissionState; 
operat ions : 

Navigate: (Mission) -> (TargetFlightPlan) ; 

(* There should be additional operations that are not explicitly 
specified in ASCT1.*) 
description: (* 

Definition of particular flight mission from which the target flight path 
can be generated (ASCT1 pg. 13). A Mission is the main object of the 
ASCT1 Flight Control System. Its first seven components represent each 
of the main segments of a controlled flight (ASCT1 pg . 15) . The last two 
components represent the altitudes that may be attained during a mission 
(from 0 to MaxAlt itude) and the global states of the mission.*) 
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end Mission; 


object MissionState is 
components : 

OP: Operat ingProcedures , 

FP: FlightPlan, 

FE: FlightEnvelope ; 
operations: ; 

description: (* *) ; 

end MissionState; 

{**+** Mission Segments (pg. 15) *****) 

object class MissionSegment is 
components: Alt itudeRange ; 
description: (* 

A generic mission phase. Only identified component from ASCT1 is 
altitude range, but presumably there should be more. *) ; 
end MissionSegment; 

object TaxilnTaxiOut instance of MissionSegment is 

components: MoveFromTerminal Phase and AltitudeRange ; 

operations: ; 

control_action: (* Move from passenger terminal to runway. *) 7 

{driver:} (* Terrain and obstacle avoidance. *) 

{control_system_requirement : } (*Speed control, nosewheel steering.*) 
end TaxilnTaxiOut; 

object TakeOff instance of MissionSegment is 

components: Runway Accelerat ion and RunwayDeparture and AltitudeRange; 
operations : 

AccelerateToTakeOff : (AircraftState, SpeedControls) -> (Aircraf tState) 

DepartRunway : (AircraftState, Lif tOf fControls) -> (AircraftState); 

control_act ion : 

(* Accelerate to takeoff speed and depart runway. *) 

{driver : } 

(* Runway length, thrust limits, crosswind conditions *) 
{control_system_requirement : } 

(* Set height lift, set takeoff trim, thrust setting, nosewheel steering, 
engine out augmentation, on ground braking, stall angle of atack warning, 
manual trajectory control *) 
end TakeOff; 

object ClimbOutAndClimb instance of MissionSegment is 
components: ClimbOut and ClimbToAltitude ; 
control_act ion : 

(* Ascend to cruise altitude< and speed.*) 

{driver : } 

(* Time constraint, fuel consumption, ease pilot workload, ride quality * 
{control_system_requirement : } 

(* Thrust setting, manual trajectory control, auto trajectory control, 
manual and auto trim envelope protection, auto control limiting, lift 
config . * ) 

end ClimbOutAndClimb; 

object Cruise instance of MissionSegment is 
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components: ; 

operations: ; 

cont rol_act ion : 

( * Cruise . * ) ; 
driver : 

(* Ease pilot workload, fuel consumption, minimize drag, ride quality. * ) 
control_system_ requirement : 

(* Speed control, manual trajectory control, auto trajectory control, 
manual an auto trim, envelope protection, auto control limiting, lift 
control. *); 
end Cruise; 

object Descent An dApproach instance of MissionSegment is 
components: Descent and Approach; 
control_act ion : 

(* *); 
driver : 

(* Ease pilot workload, ride quality, crosswind conditions, all weather 
approaches, tight path following. *) ; 
control_system_requirement : ( * * ) ; 

(* Speed control, manual trajectory control, auto trajectory control, 
manual and auto trim, envelope protection, auto control limiting, lift 
control . * ) ; 
end DescentAndApproach; 

object Landing instance of MissionSegment is 
components: Deceleration and Touchdown ; 
control_action : 

(* Flare, touchdown and decelerate to taxi speed. *) ; 
driver : 

(* Runway length, crosswind conditions, rapid speed change, tight path 
following all weather landings, ease pilot workload. *) ; 
control_system_requirement : 

(* Speed control, manual trajectory control, auto trajectory control, 
envelope protection, auto control limiting, lift control, stall angle of 
atack warning. *) ; 
end Landing; 

object MissedApproach instance of MissionSegment is 
{control_act ion : } 

{driver : } 

(* Rapid thrust change; quick, hard maneuvers. *) 
{control_system_requirement : } 

(* Terrain and obstacle avoidance, wind shears, ride quality. *) 
description: (* 

Thrust control, manual trajectory control, envelope protection, lift 
control, engine out augmentation, stall angle of attack *) ; 
end MissedApproach; 


object class FlightPath is 

components: Direction, Angle, (*...*) ; 

operations: ; 

description: (* *); 

end FlightPath; 
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object ActualFlightPath instance of FlightPath is 
components: (^Inherited from FlightPath.*); 

description: (* 

The sensed 4 dimensional flight path and attitudes of the aircraft as 
well as any other sensed values necessary to satisfy the control 
requirements. (See page 13.) *) ; 

end ActualFlightPath; 

object TargetFlightPath instance of FlightPath is 
components: ; 

description: (* 

The desired 4 dimensional flight path and attitudes generated by some 
navigation function. (See page 13.) *); 
end TargetFlightPath; 

object Aircraf tAttitudes is 

components: Pitch, Roll, Heading; 
description: (* 

Aircraft pitch, roll and heading attitudes. (See page 13.) *) ; 

end Aircraf tAttitudes ; 

(*** External forces object. Referenced in ASCT1, but not thoroughly 
defined there. See translation notes for further discussion. ***) 
object class ExternalForcesOnActuator is 
components: ; 

operations: ; 

description: (* ; 

All forces (in particular environmental forces) other than the actuation 
forces acting on the aerodynamic braking and roll actuation system.*); 
end ExternalForcesOnActuator; 

(* C.M.F.2 *) 

operation EvaluateHandlingQualit ies is 
components: ; 

inputs: a: Aircraft, m: Mission; 
outputs: PilotRating; 

(agent:) {* Pilot *) 

precond: m. State . FI ightEnve lope = Normal; 
postcond: ; 

description: (* *); 

end EvaluateHandlingQualit ies ; 

operation MinimumAugmentat ion is 
inputs: A: Aircraft; 
outputs: ; 

description: (* *); 

end MinimumAugmentat ion; 

var t : Time ; 

m: Mission; 
a: Aircraft; 
fl: FailureLevel ; 
ef : ExternalForce ; 

axiom 

if (exists (t: Time, m: Mission, a: Aircrart) 
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(m.Time = t and a .State .HandlingQuality = Degraded)) 
then m. State = IsDegraded (m) ; 

axiom 

if (forall (fl: FailureLevel , a: Aircraft) 

Probability ( fl ) < 1.0*l<T-9 and a. State. Mode = CoreControl) 
then MinimumAugmentation (a) ; 

(* An “external forces" axiom that states that external forces exist that 
cause anomalous conditions to arise, e.g., degraded handling quality. *) 
exists (ef: ExternalForce ) 
exists (t: Time) 

if m.Time = t then a . State .HandlingQuality = Degraded; 
end FlyMission; 


(*****★★★★*********★★*****★★*★★****+*+****+**★★★****************+************** 

* Module Crew contains material gleaned from throughout the ASCT1 

* specification. Pp. 196-196 contain very brief object descriptions of the 

* Crew, but no details. 

*****★★*** + *★★★** *★*★****★★★*★********★*****★★***★*********** + ***************) 
module Crew; 

object class CrewMember is 

components: Name, SkillLevel, StrengthLevel ; 
description: (* 

Class of crew members * ) ; 

end CrewMember; 

object Pilot instance of CrewMember is 
components: PilotClassification; 
description: (* 

The pilot of the mission *) ; 

end Pilot; 

object Copilot instance of CrewMember is 
components: PilotClassification; 
description: (* 

The copilot of the mission *) ; 

end Copilot; 

object SkillLevel is number; 

object StrengthLevel is number; 

object MissionControlSystem is 
components : ( * ... * ) ; 

description: (* 

The onboard computer support system. Used as agent of operation where 
appropriate (i.e., in operations that are performed automatically versus 
manually) . * ) ; 

end MissionControlSystem; 

operation PerformPilotFunct ions is 
components: ; 

inputs : PFPCFF: PilotFlightPathCommandFeelForce ; 
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outputs: PLTF: PilotLongitudinalTrimForce , 

PFPCF : PilotFlightPathCommandForce ; 
description: (* 

The functions performed by the pilot. *); 
end PerformPilotFunctions; 

operation Per formCopilotFunct ions is 
components : ; 

inputs: CopilotFlightPathCommandFeelForce (* ... *); 

outputs : CopilotLongitudinalTrimForce, CopilotFlightPathCommandForce 
(* ... *); 

(* The functions performed by the copilot. *); 
end PerformCopilotFunctions ? 

end Crew; 


^**************************+************+*****************************'********* 

* Module Aircraft contains material gleaned from throughout the ASCT1 

* specification. Pp . 194-197 contain brief object descriptions of the 

* Aircraft, but few details. 

****★******** + ***★*★***★★★★***************************■*■*■**•****■***************) 
module Aircraft; 

object Aircraft is 

components: State, Structure, MajorSystems, Attitudes, (* ... *); 
operations: ; 
description: (* *) ? 

end Aircraft; 

object Aircraf tState is 
components : 

MCM: ManualControlMode, (* The two modes bof aircraft control, q.v. *) 

HQ : Handl ingQua 1 i ty , 

NWP : NoseWheelPosit ion, 

LEWP : LeadingEdgeWingPosition, 

TEWP : TrailingEdgeWingPosition; 

(*...*) 

operations: ( * Many *); 

description: (* 

The top-level repository for all aircraft state information. Note that 
any explicit definition of this object is conspicuously missing from 
ASCT1 . *) 

end Aircraf tState; 

(* object Aircraf tState is Aircraf t . State; *) 

(* Simple naming macro for ASCT1 consistency -- DISCONTINUED SYNTAX *) 

object NosewheelPosition is ( * pg . 88 *) 
components: ; 

operations: ; 
description: (* 

Angular position of the nosewheel used for on ground low speed heading 
control. *) ; 
end NosewheelPosition; 
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object Aircraf tStructure is 

components : Engine* , EngineSupport* , PropellerShaf t* , HighLiftDevices 
{* ... *) ; 
description: (* 

The structural components of the aircraft. Note that only those 
components that appear in the requirements are listed here. A full 
structural decomposition of the aircraft should be done in a complete 
structures module, and would of course be very detailed. *) ; 
end Aircraf tStructure; 

object class StructuralElement is 

components: HowMounted, WhereMounted; 
operations: ; 
description: (* *) ; 

end StructuralElement; 

object Engine instance of StructuralElement is 
components: EngineThrust (* — *) ; 

description: (* 

The aircraft engine *); 
end Engine; 

object EngineThrust is (*** See ASCT1 pg. 88. ***) 
components: ; 

operations: ; 

description: (* 

Thrust measurement ? * ) 
end EngineThrust; 

(* obj EnginesThrust is Engine .Thrust ; *) 

( * Simple naming macro for ASCT1 consistency DISCONTINUED SYNTAX ) 

object HighLiftDevices is 

components: LeadingEdgeFlap* , Trail ingEdgeFlap* ; 
description: (* *); 

end HighLiftDevices; 

object HowMounted is 

components: Location (* ... *) ; 
operations: ; 
description: {* *); 

end HowMounted; 

object HowMountedLocation is 

components: External or Internal; 
end HowMountedLocation; 

object External = "External"; 
object Internal = "Internal"; 


(* Major Aircraft Systems (ASCT1 pg . 196 and elsewhere) . In a full spec, 
each component here should undoubtedly be represented in a separate module. ) 

object MajorSystems is 
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components: SensorSystem, PilotControlSystem, PropulsionSystem, 

Airf rameSystem, AutoFl ightSystem; 
operations: ; 

description: (* *); 

end MajorSystems ; 

(*Note that this should certainly be integrated with as a MajorSystems 
component, but it appears as an isolated object in ASCT1.*) 
object Autopilot is 
components: ; 

description: (* 

The autopilot control unit. *) 
end Autopilot; 

(* Flight Modes and Commands *) 

object class Mode is 
components: ; 

operations: ; 

description: ( * 

A generic flight mode; specializations follow. *); 
end Mode; 

object class Command is 
components: ; 

operations: ; 

description: ( * 

A generic flight command. Note that the component structure of a command 
is is not precisely clear from the various appearances of the term 
' ' command ' ' throughout ASCT1 . This should be corrected. *) 
end Command; 


(* Mode Specializations *) 

object ManualFlightMode instance of Mode is 
components: Angle; 
operations: ; 

description: (* 

Appears on ASCT1 pg . 129; no textual description given. *) 
end ManualFlightMode; 

object AutoFl ightMode is 
components: ; 

operations: ; 

description: (* ; 

Appears on ASCT1 pg . 129; no textual description given. *) 
end AutoFl ightMode; 


(* Command Specializations *) 

object ManualF light Pat hC ommand instance of Command is 
components : Angle ; 

operations : ProvideLongitudinalEnvelopeProtect ion , 

GenerateFlightPathCommand, GenerateFlightPathCmdManual ; 
description: (* 

Flight path angle command generated manually (i.e., by the crew) *); 
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end Manua IF light PathCommand; 

object AutoF light PathCommand instance of Command is 
components: Angle; 
operations: ; 

description: (* 

Flight path command generated in an automated fashion (i.e., by a 
computer system) *); 
end AutoFlight PathCommand; 

end Aircraft; 


* Module Navigate is largely a place holder for information that is outside of 

* the specific focus of this document, but which should be represented 

* formally in some form in a complete document. Pages 12 and 13 are the only 

* explicit mention of a Navigate function in ASCT1 . 
*****************************************************************************) 

module Navigate? 


(* Evidently outside of the scope of this spec *) 
operation Navigate is 
components: ; 

inputs: Mission; 
outputs: TargetFlightPath; 
description: {* 

Generates the target flight path based on the particular mission 
requirements and anticipated and sensed environmental conditions. *) ; 
end Navigate; 


end Navigate; 


{ 




* Module ControlMissionFlight is contains the top-level functional components 

* of the system, defined on pp. 17-89 of ASCT1 . 

★***★***+*★★★*★★★***★* ★*************************************************"*****) 


module ControlMissionFlight; 


from FlyMission import ActualFlightPath, TargetFlightPath, 
ExternalForcesOnActuator , Aircraft Attitudes ; 
from Mission import MissionState; 

from Aircraft import Aircraf tState, EnginesThrust ; 
from ControlYaw import ExternalForcesOnYawActuator , 

DisplayedDirect ionalTrimPos ; 

from ControlAerodynamicBraking import DisplayedlnflightBrakePos ; 
from ControlPitch import DisplayedLongitudinalTrimPosition, 
ExternalForcesOnPitchActuator , StallAngleOf Attackwarning; 
from ControlRoll import Di splayedRollTr imposition ; 

from ControlLif tConfiguration import DisplayedConfigAndFailureStatus ; 

define attribute CMF1; (* General Control Requirements *) 

define attribute CMF2? (* Handling Qualities *) 

define attribute CMF3 ; <* Operational Flight Envelope *) 

define attribute CMF4 ; (* Manual and Automatic Trim Functions *) 
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define attribute CMF5; 
define attribute CMF6; 
define attribute CMF7 ; 
define attribute CMF8 ; 
define attribute CMF9 ; 
define attribute CMF10 
define attribute CMF11 
define attribute CMF12 
define attribute CMF13 
define attribute CMF14 
define attribute CMF15 
define attribute CMF16 
define attribute CMF17 
define attribute CMF18 
define attribute CMF19 
define attribute CMF20 
define attribute CMF21 
define attribute CMF22 
define attribute CMF23 
define attribute CMF24 
define attribute CMF25 
define attribute CMF2 6 


(* Envelope protection *) 

(* Autopilot Limiting and Actuation * ) 

{* Maneuver Control Lags *) 

(* Requirements in Icing Conditions *) 

(* Control System Stability Requirement *) 

(* Residual Oscillations *) 

(* Longitudinal Control Power Requirements *) 

(* Longitudinal Trim Authority *) 

(* Enhanced Longitudinal Control Maneuver Response *) 
{* Roll Mode Time Constant *) 

{* Pilot-Induced Oscillations *) 

{* Stall Characteristics *) 

(* Lateral Control Power Requirements *) 

(* Roll Response Linearity *) 

(* Roll Control Cross Coupling *) 

(* Lateral Trim Authority *) 

(* Enhanced Roll Maneuver Control *) 

(* Dynamic Stability *) 

(* Turn Coordination *) 

{ * Directional Control Power Requirements *) 

(* Directional Trim Authority *) 

{* Flutter Prevention Requirements *) 


operation ControlMissionFlight is (* pp . 13, 87 *) 

components: ControlThrust , ControlPitch, ControlRoll, ControlYaw, 
ControlHeadingOnGround, ControlAerodynamicBraking, 

ControlBrakingOnGround, ControlLiftConfig, UpdateAircraf tState ; 
inputs : TargetFlightPath, ExternalForcesOnActuator , 

ExternalForcesOnYawActuator # ExternalForcesOnPitchActuator , 

EnginesThrust ; 

outputs : DisplayedLongitudinalTrimPosit ion, StallAngleOf Attackwarning, 

DisplayedRollTrimPospition, DisplayedDirect ionalTrimPos , 

Aircraf tAttitudes, ActualFlightPath, DisplayedlnflightBrakePos , 
DisplayedConfigAndFailureStatus ; 
description: {* 

Receives a target flight path (generated by navigation) and generates 
control signals for the actuation systems which generate the forces and 
moments to control the aircraft attitudes to generate a flight path which 
matches the target flight path. *) 
end ControlMissionFlight; 


( * General Remarks : 

DSBP : la 

Means shall be provided to indicate to the flight crew the position of the 
speed brake system. 

DSBP: lb 

Annunciation of failures or system operation which could result in an 
unsafe condition if the crew were not aware of the condition shall be 
provided (FAR 25.. 672a) 

DSBP: lc 

Annunciation to the crew (in the form of an aural warning) shall be 
provided for speedbrake deployment or the following condition: take-off 
power and airplane on ground. (FAR 25.703a) 


11 



) 


(** The following are atomic component operations of ControlMissionFlight . 

The remaining component operations are at the head of their respective 
modules. ***) 

operation ControlThrust is 

inputs: (* Note that there should probably be inputs here. *); 

outputs : ThrustVectorActuatorConfiguration; 
description: (* 

No description in ASCT1 *); 
end ControlThrust; 

operation ControlHeadingOnGround is 
components: ; 

inputs: (* Ibid. *) ; 

outputs: NosewheelPosition; 
description: (* 

No description in ASCT1 . Note also that lack of inputs is suspicious *); 
end ControlHeadingOnGround; 

operation ControlBrakingOnGround is 
components : ; 
inputs: (* Ibid.*); 

outputs: WhellBrakingPosit ion ; 
description: (* 

No description in ASCT1 . Note also that lack of inputs is suspicious *); 
end ControlBrakingOnGround; 

(*** Organizationally, this operation would probably better be included in 
the Aircraft module. It is here to maintain some lexical correspondence 
with ASCT1. ***) 

operation UpdateAircraf tState is 
components: ; 

inputs: ThrustVectorActuatorConfiguration, PitchActuatorPosition, 
RollActuator Posit ion, YawActuatorPosition, NosewheelPosition, 
DragActuatorPosition, WheelBrakePosition, LiftConfig, Aircraf tState; 
outputs: Aircraf tAttitudes, ActualFlightPath, Aircraf tState ; 
description: (* 

Includes the airframe and the flight environment and outputs the aircraft 
flight state as a result of the flight state and the configuration of the 
flight control system. Note: this appears to be a rather imprecise 
description; furthermore, inputs and outputs are not clearly specified. 

See translation notes for further discussion. *) ; 
end UpdateAircraf tState ; 

(*** The following are atomic operations of Control Mission Flight, from pp. 
87-88 of ASCT1 . Global non-atomic operations, such as Aircraf tState, 
ActualFlightPath, and TargetFlightPath are defined in appropriate major 
object modules. Local objects that belong to functions defined in other 
modules, such as PitchActuatorPosition, are defined in the appropriate 
operation modules. Use the browser to find their definitions. ***) 

object ThrustVectorActuatorConfiguration is 
components: ; 

operations: ; 

description: (* 
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Configuration of the system which controls the magnitude and direction of 
the thrust vector.*) ; 
end Thrus tVectorActuatorConfigurat ion ; 


(**★ General Control Requirements (C.M.F.l), Pg. 18: Two modes of manual 
control shall be provided: core control and enhanced control. ***) 

object Manual ControlMode is 

components: CoreControl or EnhancedControl; 
description: (* 

The core control mode provides the minimum level of augmentation (e.g. # 
yaw damper, Mach trim, etc.) required by FAA certification at all failure 
levels not extremely improbable (probability < 1.0E-9). *) 
end ManualControlMode; 

{*** pg . 18: Transfer between core and enhanced control modes. ***) 
operation Trans ferControlMode is 
inputs: AS: Aircraf tState ; 
outputs: AS ' : Aircraf tState ; 

postcond: if AS .ManualControlMode = CoreControl 

then AS' .ManualControlMode = EnhancedControl; 

{agent: Crew or AutoControlUnit ) 
end Trans f erControlMode ; 

object CoreControl = "CoreControl"; 
object EnhancedControl = "EnhancedControl"; 

object HandlingQuality is 

components: Normal or Degraded; 
end HandlingQuality; 

object Normal = "Normal"; 
object Degraded = "Degraded"; 

end ControlMissionFlight ; 


(★*****★******★*★★**★★★★★ + ★★★******** + * + * + *★*★*** + ★**★★*★★***★ + + ★*■*****•*•*★*★*** 
* Module ControlAerodynamicBraking from pp . 90-107 
********************************************************************^****^***) 
module ControlAerodynamicBraking; 

from FlyMission import TargetFlightPath, ActualFlightPath, 
ExternalForcesOnActuator ; 

define operation attribute CAB1, CABla, CABlb, CABlc, CABld, 

CAB2 , CAB2a , CAB2b; 

operation ControlAerodynamicBraking is (*** pg . 88, 105-107 ***) 

components : 

GenerateManualBrakeCommand, GenerateAutoBrakeCommand, 

DisplaySpeedBrakePos , MoveDragActuator , ProvideCrewBrakinglnter f ace , 
GenerateDragActuatorCommand ; 

inputs: TargetFlightPath, ExternalForcessOnActuator , ActualFlightPath; 

(* NOTE: Inconsistency in outputs from ControlAerodynamicBraking between 
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pages 87 versus 105. * ) 

outputs: DragActuator Posit ion, Display edlnflightBrakePos, 
DragActuatorDisplacement ; 
description: (* 

Controls drag and lift dumping to provide and aerodynamic braking 
capability. *) ? 

CAB1 : (* (pg. 90) 

Manual and automatic control of aerodynamic braking shall be available. 
Manual control shall be able to override the automatic control function. 
Aerodynamic speed brake control function shall be available 
for on-ground and in-flight operation. *) ? 

CABla : (* 1.0 Ground Speed Brake Control 

Ground speedbrake control shall provide ground deceleration capability 
consistent with operational field landing length requirements.*) 

(* See predicates on DecelerateOnGround operation. *); 

CABlb: (* 1.2.0a Inflight Speed Brake Control 

The inflight speed brake actuators shall be sized to give adequate 
inflight deflection at Vmo/Mmo for emergency descent.*); 

<* 

SpeedBrakeAcutators .Size = Adequate Inflight Deflect ion (Vmo , Mno)*) 

CABlc : ( * 1.2.0b Inflight Speed Brake Control 

Normal descent speed brake requirements shall not cause objectionable 
horizontal tail buffet of engine flow distortion (FAR 25.251b) *); 

(* See predicates on Descend and OperateEngine operations. *) 

CABld : (* 1.2.0c CAB 2.0c Inflight Speed Brake Control 

Control forces to trim the pitching moment change shall be less 
than or equal to those required by FAR 25.143(b)*)? 

( * axiom 

Pitching .Moment . ControlForces <= FAR25_143_b; *) 

(* Note that reference to FAR functions assumes there definition 
* elsewhere. *) 

CAB2a: (* Aerodynamic Braking Function Availability Requirements *); 

CAB2a: (* 

Each individual speed brake device shall provide fail-passive control for 
failure modes more probable than 10-7/flt hour. *) ? 

CAB2b : ( * 

Loss of all speedbrake control shall be less than 10-7/flt hour. *)? 

end ControlAerodynamicBraking? 

operation GenerateManualBrakeCommand is 
components: ? 

inputs : TargetFlightPath, ActualFl ightPath; 
outputs: CrewBrakeForce ; 

{agent: Crew;) 
description: (* 

Generates the speedbrake command manually (i.e., by the crew). *) 
end GenerateManualBrakeCommand; 
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operation GenerateAutoBrakeCommand is 
components : ; 

inputs: TargetFlightPath, ActualFl ightPath; 
outputs: AutoB rake Command; 

{agent: FlightControlSystem; } 
description: (* 

Involves generation of the speedbrake command in an automated fashion *) 
end GenerateAutoBrakeCommand; 

operation DisplaySpeedBrakePos is 
components: ; 

inputs : DragActuatorDisplacement ; 
outputs : DisplayedlnflightBrakePos ; 
description: (* *) ; 

(* Indicates to the flight crew the position of the speedbrake system and 
annunciates unsafe speedbrake positions and unsafe failures. *) 
end DisplaySpeedBrakePos; 

operation MoveDragActuator is 
components: ; 

inputs: DesiredDragActuatorPosit ion , ExternalForcesOnActuator ; 
outputs : DragActuatorDisplacement ; 
description: (* 

Moves the position of the system which provides the aerodynamic braking 
and lift dumping capability (spoiler/speedbrakes) *) ; 
end MoveDragActuator; 

operation ProvideCrewBrakinglnterface is 
components: ; 

inputs: CrewBrakeForce ; 
outputs: ManualBrakeCommand; 
description: (* 

Converts the force exerted by the crew into an aerodynamic braking 
command . * ) ; 

end ProvideCrewBrakinglnterface; 

operation GenerateDragActuatorCommand is 
components : ; 

inputs: ManualBrakeCommand, AutoBrakeCommand; 
outputs : Des iredDragActuator Posit ion; 
description: {* 

Generates a drag actuator command based on the manual and auto braking 
commands . * ) ; 

end GenerateDragActuatorCommand; 

object DragActuatorPosition is ( * pg . 88 *) 

operations: ControlAerodynamicBraking, UpdateAircraf tState ; 
description: (* 

Position of the system used to generate drag used for in air and on 
ground aerodynamic braking. *) ; 
end DragActuatorPosition; 

object DisplayedlnflightBrakePos is ( * pg 106 *) 

operations: ControlMissionFlight , ControlAerodynamicBraking, 
DisplaySpeedBrakePos ; 
description: (* 
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Indication to the crew of the speedbreak position and status. *); 
end DisplayedlnflightBrakePos ; 

object DragActuatorDisplacement is (* pg . 106 *) 

operations: ControlAerodynamicBraking, Di splay SpeedBrakePos , 
MoveDragActuator ; 
description: ( * 

Displacement of the drag actuators (i.e., the speedbrakes ) . *) ? 
end DragActuatorDisplacement; 

object AutoBrakeCommand is {* pg. 106 *) 

operations : GenerateAutoBrakeCommand, GenerateDragActuatorCommand; 
description: (* 

The automatically (non-manual) generated aerodynamic braking command. *) ; 
end AutoBrakeCommand; 

object CrewBrakeForce is (* pg. 106 *) 

operations : GenerateManualBrakeCommand, ProvideCrewBrakinglnterf ace ; 
description: (* 

Force exerted by crew (pilot or copilot) on the aerodynamic braking 
controller. *); 

(* NOTE: some reconciliation with the Crew module should be 
made for this and other crew-related objects. *) ? 
end CrewBrakeForce; 

object DesiredDragActuatorPosition is ( * pg . 106 *) 

operations: MoveDragActuator, GenerateDragActuatorCommand; 
description: (* 

The commanded rage actuator position. *); 
end DesiredDragActuatorPosition ; 

object ManualBrakeCommand is (* pg . 106 *) 

operations : ProvideCrewBrakinglnterf ace r GenerateDragActuatorCommand; 
description: (* 

The speedbrake command generated as a result of the crew exerting a force 
on the controller. *) ; 
end ManualBrakeCommand; 

end ControlAerodynamicBraking; 


* Module ControlLif tConfiguration from pp. 92-119 


module ControlLif tConfigurat ion; 

from FlyMission import TargetFlightPath, ActualFlightPath; 


define operation attribute CLC; 

operation ControlLif tConfig is 
components: ; 

inputs : TargetFlightPath, ActualFlightPath; 
outputs : DisplayedConfigAndFailureStatus, Lif tConfig; 
description: 

( * Configures the wing for different lift properties such that required 
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lift and control is achieved at low speed (takeoff and landing) and low 
drag an be achieved at high speeds. *) ; 

CLC : { * 1 

The wing high lift design (both leading edge and trailing edge devices) 
shall be adjustable to provide a variable lift capability to ensure the 
achievement of low speeds performance requirements coupled with certifiable 
handling characteristics. Manual and automatic system operation shall be 
provided. High lift device position indication and failure status shall be 
available . *) ; 

CLC: (*2 p. 93. Lift configuration control function availability 

requirements. The high lift system shall provide the following functional 
availability ( function, probability of loss of function 
(LE and TE Control, 10-7) 

(LE Control, 10-6) 

(TE Control, 10-6) 

(Autoslat, 10-5) 

(Flap load relief, 10-5) 

(LE and TE Failure annunciation, 10-5) 

(LE Control and LE Failure annunciation, 10-9) 

(TE Control and TE Failure annunciation, 10-9)*); 

end ControlLif tConfig ; 

operation GenerateMaualConfigCmd is 
components: ; 

inputs: TargetFlightPath, ActualFlightPath; 
outputs: CrewConfigCmdForce? 

(* Note inconsistent names pp . 88, 112, 113. *) 

{agent: Crew;} 
description: {* 

Involves the generation of the high lift configuration command in the 
manual fashion (i.e., by the crew) . Note that name spelling ( . . . Cmd) is 
not consistent with spellings of comparable operations (i.e., 

. . . Command) . * ) ? 

end GenerateMaualConfigCmd; 

operation GenerateAutoConfigCommand is 
components: ; 

inputs: TargetFlightPath, ActualFlightPath; 
outputs: AutoConfigCommand; 

{agent: MissionFlightSystem; } 
description: (* 

Generates the high lift configuration command in an automated fashion 
(i.e., by the computer system). *) ; 

end GenerateAutoConfigCommand; 

operation DisplayConfigAndFailStatus is 
components: ; 

inputs : HighLiftConfigAndFailureStatus ; 
outputs : DisplayedConfigAndFailureStatus ; 
description: {* 

Displays to the crew the position of the high lift devices and 
annunciates any height lift device failure conditions. *); 

end DisplayConfigAndFailStatus; 
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operation MoveLif tConfigActuator is 
components: ; 

inputs : HighLi f tActuatorCommands ; 

outputs: HighLiftDevicePosit ions , HighLi ftConfigAndFai lureS tat us, 

LiftConfig; 
description: (* 

Involves the actuation of the high lift devices (i.e., the leading edge 
and trailing edge flaps). *); 
end MoveLif tConfigActuator ; 

operation ProvideCrewConfiglnterface is 
components: ; 

inputs : CrewHLConfigCmdForce ; 
outputs: ManualConfigCmd; 
description: (* 

Provides the interface which allows the crew to input commands to the 
high lift system. See notes in analysis section about ad hoc user 
interface specification in the original ASCT1 . *) ; 
end ProvideCrewConfiglnterface; 

operation Genera teConfigActuatorCmd is 
components : ; 

inputs: AutoConfigCommand, HighLif t Device Posit ions , ManualConfigCmd; 
outputs : HighLif tActuatorCommands ; 
description: (* 

Involves the actuation of the high lift devices (i.e., the leading edge 
and trailing edge flaps). *); 
end GenerateConfigActuatorCmd; 

object AutoConfigCommand is (* pg. 113 *) 

operations: Genera te AutoConfigCommand, GenerateConfigActuatorCmd; 
description: (* 

The automatically generated commands for the leading edge and trailing 
edge high lift devices. *); 
end AutoConfigCommand; 

object CrewConfigCmdForce is ( * pg. 113 *) 

operations : GenerateMaualConfigCmd, ProvideCrewConfiglnterface; 
description: (* 

This is the force exerted by the crew to generate the manual high lift 
configuration command. *) ; 
end CrewConfigCmdForce; 

object DisplayedConfigAndFailureStatus is (* pg. 113 *) 
operations: ControlMissionFlight , ControlLif tConfig, 

DisplayConfigAndFai IStatus ; 
description: ( * 

*) ? 

end DisplayedConfigAndFailureStatus ; 

object HighLif tActuatorCommands is ( * pg . 113 *) 

operations: MoveLif tConfigActuator , GenerateConfigActuatorCmd; 
description: (* 

Commands to the various actuators which move the leadin edge and trailing 
edge flaps . * ) ; 

end HighLi f tActuatorCommands; 
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object HighLif tDevicePosit ions is {* pg. 113 *) 

operations: MoveLif tConfigActuator , GenerateConfigActuatorCmd; 
description: (* 

Sensed positins of the leading edge and trailin ede high lift positions. 

*) ; 

end HighLif tDevicePositions ; 

object HighLif tConfigAndFailureStatus is <* pg. 113 *) 

operations: DisplayConfigAndFailStatus , MoveLif tConfigActuator ; 
description: (* 

Position of leading edge and trailing edge high lift devices and failure 
status of the high lift devices. *); 
end HighLif tConfigAndFailureStatus ; 

object LiftConfig is 

components: (* Surmised from prose description on pg . 113. *) 

LeadingEdgeWingPos , Trai 1 ingEdgeWingPos ; 
operations: UpdateAircraf tState , ControlLif tConfig; 
description: ( * 

Configuration of the lift system to achieve necessary lift to support 
desired flight path angle at all mission phases (speeds and altitudes) . 

The record consists of the leading edge and trailing edge wing positions. 

*) ; 

end LiftConfig; 

end ControlLif tConfigurat ion; 


(***★★**++*★★******+**★★★***★★******★★*******+**★**★******★**★**★************** 
* Module ControlPitch from pp. 120-144 

**★★**★*++★★**★*★★★★★★★★★★★*★★★★*★**★*★★★**★★*★*************★**★*****★+***•***) 
module ControlPitch; 

from FlyMission import TargetFlightPath, ActualFlightPath, 
ExternalForcesOnActuator ; 

from Aircraft import AutolFlightPathCommand, ManualF light Pat hCommand; 

define operation attribute LAPC; 

define operation attribute PLEP; 

define operation attribute PSAW; 

operation ControlPitch is ( * pp . 87, 120*) 

components : GenerateLongitudinalTrimCommand, DisplayLongitudinalTrimStatus , 
GeneratePitchActuatorCommand, MovePitchActuators # 

ProvideStallAngleOf Attackwarning, ProvideLongitudinalEnvelopeProtect ion, 
GenerateFl ightPathCommand, LimitAutoPitchCommand; 
inputs: ActualFlightPath, ExternalForcesOnPitchActuator , TargetFlightPath; 
outputs : StallAngleOf Attackwarning, DisplayedLongitudinalTrimPosit ion, 

Pi tchActua tor Posit ion; 
description: (* 

Performs all functions required to control the lateral axis by 
controlling the pitch angle. *); 


LAPC: 

(* 

*) ; 

PLEP: 

<* 

*) ; 

PLEP: 

(* 

*) ; 

PSAW: 

<* 

*) ; 


end ControlPitch; 
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operation GenerateLongitudinalTr imCommand is 
components: ; 

inputs : ; 

outputs : AutoLong itudinalTr imCommand, Manual Long itudinalTr imCommand; 
description : 

(* Generates trim commands to offload steady state pitch commands from 
the elevator to the stabilizer. *) 
end GenerateLongitudinalTr imCommand; 

operation DisplayLongitudinalTrimStatus is 
components : ; 

inputs : LongitudinalTr imposition ; 

outputs : Di sp 1 ay edLong itudinalTr imposition; 

description: (* 

Displays the longitudinal trim status to the crew. NOTE: inconsistency 
in this function name on pp. 120 and 121.) *) 
end DisplayLongitudinalTrimStatus ; 

operation GeneratePitchActuatorCommand is 
components : ; 

inputs: LimitedFlightPathCommand, ManualLong itudinalTr imCommand, 

Aut oLong itudinalTr imCommand , Ac t ua 1 F 1 ight Path ; 
outputs : DesiredPitchActuatorPosition, LongitudinalTr imposition; 
description: {* 

Generates the pitch actuator (elevator and stabilizer) position command 
based on the flight path angle and longitudinal trim commands *) 
end GeneratePitchActuatorCommand; 

operation MovePitchActuators is 
components: ; 

inputs : DesiredPitchActuators , Externa IForcesOnActuator ; 
outputs : PitchActuatorPosition; 
description: (* 

Receives the desired pitch actuators positions and attempts to 
move the actuators to thoses positions. *) 
end MovePitchActuators; 

operation ProvideStallAngleOf Attackwarning is 
components : ; 

inputs: ActualFlightPath; 
outputs : StallAngleOf Attackwarning ; 
description: (* 

Monitors the aircraft flight path state vector and attitudes and 
generates a warning for the crew when approaching the aircraft stall 
angle of attack. NOTE naming inconsistency on pp. 120 and 121. *) 
end ProvideStal lAngleOf Attackwarning ; 

operation ProvideLongitudinalEnvelopeProtection is 
components : ; 

inputs : ActualFlightPath, ManualFl ightPathCommand, LimitedFlightPathCommand 
outputs : LimitedFlightPathCommand; 
description: ( * 

Monitors the aircraft states and modifies the flight path angle command 
as necessary to satisfy the longitudinal envelope protection 
requirements. *); 

end ProvideLongitudinalEnvelopeProtect ion ; 
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operation GenerateFlightPathCommand is 

components : GenerateFlightPathCommandManual , 

MakeManualVsAutoFlightModeDecis ion , EngageManOrAutoOperat ion , 

Generat eF light Pat hCommandAuto; 
inputs: TargetFlightPath, ActualFlightPath; 
outputs: ManualFlightPathCommand, AutoFlightPathCommand; 
description: (* 

Compares the actual flight path angle to the desired flight path angle 
and generates the necessary flight path angle command. *) ; 
end GenerateFlightPathCommand; 

operation LimitAutoPitchCommand is 
components: ; 

inputs: AutoFlightPathCommand; 
outputs : LimitedFlightPathCommand; 
description: (* 

Limits the autopilot control authority and protects against failures (in 
particular hardover and oscillatory failures) in the autopilot. *); 
end LimitAutoPitchCommand; 

(* Pp. 127 - 128 *) 

operation Generat eF light Pat hCmdManual is 

inputs: ActualFlightPath, TargetFlightPath; 
outputs : ManualFlightPathCommand; 
description: (* 

Involves the generation of a flight path command manually (i.e., by the 
crew) as a result of comparing the target and actual flight paths. *); 
end Genera teF light Pat hCmdManual ; 

operation GenerateFlightPathCmdAuto is 
inputs: ; 
outputs: ; 

description: (* 

Generates a flight path angle command automatically (i.e., by the a 
computer) as a result of the difference between the actual and target 
flight paths. *); 
end GenerateFlightPathCmdAuto; 

operation MakeManualVsAutoFlightModeDecis ion is 
inputs: ManualFlightMode ; 
outputs : AutoFl ightMode ; 
description : 

{* Decides whether to generate flight path commands manually or 
automatically. *) ; 

end MakeManualVsAutoFlightModeDecision ; 

{Evidently already defined -- FIX 
operation EngageManOrAutoOperat ion is 
inputs: ManualFlightMode; 
output s : AutoFl ightMode ; 
description: (* 

Activates one of the flight path command generation processes depending 
on the mode engaged . * ) ; 
end EngageManOrAutoOperat ion ; 

) 
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object ExternalForcesOnPitchActuator instance of ExternalForcesOnActuator is 
operations: ControlMissionFlight , ControlPitch; 
description: (* 

All forces (in particular environmental forces) other than the actuation 
forces acting on the pitch actuator. *) ; 
end ExternalForcesOnPitchActuator; 

object DisplayedLongitudinalTr imposition is 

operations : ControlMissionFlight , ControlPitch, 

DisplayLongitudinalTr imStatus ; 
description: 

(* The longitudinal trim position displayed to the crew *) 
end DisplayedLongitudinalTr imposition ; 

object AutoLongitudinalTrimCommand is 

operations : GenerateLongitudinalTrimCommand, GeneratePitchActuatorCommand; 
description: (* 

The Longitudinal trim command generated automatically during enhanced 
manual control and autoflight control *) 
end AutoLongitudinalTrimCommand; 

object Manua 1 Long i tud i na ITr imCommand is 

operations : GenerateLongitudinalTr imCommand, GeneratePitchActuatorCommand; 
description: { * 

The longitudinal trim command generated by the crew for use during normal 
and backup control *); 
end Manua 1 Long i t udina ITr imCommand ; 

object AutoFlightPathCommand is 

operations : GenerateFlightPathCommand, Limit AutoPit chCommand; 
description: (* 

The flight path command generated automatically during enhanced manual 
control and autoflight control *); 
end AutoFlightPathCommand; 

object LongitudinalTr imposition is 

operations : DisplayLongitudinalTrimStatus , GeneratePitchActuatorCommand, 
GeneratePitchActuatorCommand; 
description : 

(* Position of the longitudinal trim actuator *) 
end LongitudinalTrimPosition; 

object ActualFl ightPath is 
operations: ; 

description: (* 

The sensed 4 dimensional flight path & attitudes of the aircraft as well 
as other sensed values necessary to satisfy the control requirements.*); 
end ActualFlightPath; 

object LimitedFl ight PathCommand is 

operations : GeneratePitchActuatorCommand, 

ProvideLongitudinalEnvelopeProtect ion , Limit AutoPit chCommand; 
description: (* 

The flight path command limited such that envelope protection is not 
violated. *); 

end LimitedFl i ght PathCommand; 


22 



object StallAngleOf Attackwarning is 

operations: ControlMissionFlight , ControlPitch, 

ProvideStallAngleOf Attackwarning; 
description: (* 

The audible and visual indication to the crew that the aircraft is 
approaching the stall angle of attack. *) ; 
end StallAngleOf Attackwarning; 

object PitchActuatorPosition is 
operations: ; 
description: (* 

The Position of the actuator (s) which provide (s) aircraft pitch maneuver 
and trim control. *) ; 
end PitchActuatorPosition; 

(* object TargetFlight Path is FlyMission .TargetFlightPath; *) 

object DesiredPitchActuatorPosition is 

operations: GeneratePitchActuatorCommand, MovePitchActuators; 
description: (* 

The desired pitch actuator (elevator) position such that the limited 
flight path angle command is achieved *); 
end DesiredPitchActuatorPosition; 

(* object ExternalForcesOnActuator = FlyMission .ExternalForcesOnActuator ; *) 
end ControlPitch; 


{*★★★★*★**★★********★**+★***★**★*****★*★***★*★★*+★*******★★+***+*+***★★*★★***** 
* Module FlightControlSystemPitchFunctions from pp . 129-144 
*★***★**★++*+★*★***★+*★★**★*★**********+******+***★***★★****★*+★**+**★★****★*) 
module FlightControlSystemPitchFunctions ; 

from ControlPitch import PitchActuatorPosition; 
from Aircraft import AutoFlightPathCommand; 

operation FlightControlSystemPitchContext is 

components: Per formPilotFunct ions , Per formCopilotFunct ions , 

FlightControlSystemPitchFunctions , PerformAutoFlightSystemFunct ions ; 
inputs : 

(* Unclear -- see pg . 129. *) ; 
outputs: PitchActuatorPosition ; 

description: (* Unclear -- see pp. 129-130. *); 

end FlightControlSystemPitchContext ; 

operation FlightControlSystemPitchFunctions is 

components : ProvidePilotPitchlnterface, ProvideCopilotPitchlnter face, 
DisplayLongitudinalTrimStatus , ResolvePitchControlContent ion # 
GeneratePitchActuatorCommand, MovePitchActuators , 

ProvideStallAngleOf Attackwarning, 

Display Long itudinalEnvelopeProtect Status, 

ProvideLongitudinalEnvelopeProtect ion, LimitAutoPitchCommands ; 
inputs: Pi lotLongitudinalTrimForce, PilotFlightPathCommandForce, 

Copi lotLongi tudinalTr imForce , Copi lotFlightPathCmdForce , 
AutoLongitudinalTrimCommand, AutoFlightPathCommand 
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(* PLUS MAYBE THE FOLLOWING DUE TO AMBIGUITY ON PP. 129 VS 133: *) 

, ActualFlight Path, ExternalForcesOnActuator ; 
outputs : PilotFlightPathCmdFeelForce, CopilotFlightPathCmdFeelForce, 
PitchActuatorPos it ion; 
description: (* 

Note that the following description is taken from ASCT1 page 130 , but it 
is not a fully accurate description of this operation as it is defined in 
WSRSL. See the remarks in the first-year report. 

Contains all the flight control functions assigned to the FCS . As a 
result of this assignment several new processes are created. some of 
these are interface functions and others are as a result of how functions 
were allocated to the AEs . (I.e., Envelope Protection was assigned to 

the FCS with a probability of failure < 10E-6. However this function 
requires <10E-9. Therefore the pilot and copilot must perform envelope 
protection when not being performed by the FCS. Thus a pilot indication 
function of the status of envelope protection is generated.) Pilot and 
copilot can command roll reate, thus there is a function requirement to 
resolve control contention.*) 
end FlightControlSystemPitchFunctions ; 

object CopilotFlightPathCommandFeelForce is 
components : ; 

description: (* 

A resistance force exerted by the controller which is a feedback to the 
copilot indicative of the flight path angle. *) ; 
end Copi lotFlightPathCommandFeelForce ; 

object CopilotFlightPathCommandForce is 
components : ; 

description: (* 

The physical force generated by the copilot to control the aircraft 
flight path angle. It is in the form of a force exerted by the pilot's 
hand. *) ; 

end Copi lotFl ight Pat hCommandForce ; 

object CopilotLongitudinalTrimForce is 
components: ; 

description: (* 

The physical force exerted by the copilot's hand to generate the desired 
longitudinal trim command. *); 
end Copi lotLongi tudinalTr imForce ; 

object PilotFlightPathCommandForce is 
components: ; 
description: (* 

The physical signal created by the pilot to control the aircraft flight 
path. It is in the form exerted by the pilot.*); 
end PilotFlightPathCommandForce; 

object Pi lot FI ight PathFeelForce is 
components: ; 

description: (* 

A resistance force exerted by the controller which is a feedback to the 
pilot indicative of the flight path command. *); 
end PilotFlightPathFeelForce ? 
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object PilotLongitudinalTrimForce is 
description: {* 

This flow is the physical force exerted by the pilot's hand to generate 
the desired longitudinal trim command. *) ; 
end PilotLongitudinalTrimForce; 

{*Pp. 133 - 135*) 

operation ProvidePilotPitchlnterface is 
components: ; 

inputs: PilotLongitudinalTrimForce, PilotFlightPathCmdForce ; 
outputs : PilotFlightPathCmdFeelForce , Pi lotLongitudinalTr imCommand, 
PilotFlightPathCommand; 
description: (* 

Converts the signal received from the pilot in the form of a force 
exerted by the pilot into a flight path angle command signal to be used 
by the FCS . It also provides the pilot with a feedback feel force 
indicative of the command. *); 
end ProvidePilotPitchlnterface; 

operation ProvideCopilotPitchlnterface is 

components : ConvertForceToDisplacement , GenerateLongitudinalFeelForce, 
Trans lateFlightPathDisplacementToCommand, 

Trans lateTrimForceToTr imCommand; 

inputs : CopilotFlightPathCmdForce , Copi lotLongitudinalTr imForce ; 
outputs : CopilotFlightPathCmdFeelForce, Copi lot Flight Pa thCommand, 

Copi lotLongitudinalTr imCommand ; 
description: (* 

Provides the same capability for the copilot as the 
ProvidePilotPitchlnterface does for the pilot. *) ; 
end ProvideCopilotPitchlnterface; 

{Evidently already defined -- FIX 
operation DisplayLongitudinalTrimStatus is 
components: ; 
inputs: ; 

outputs : LongitudinalTrimPosition; 
description: ( * 

Displays the longitudinal trim status to the crew. *) ; 
end DisplayLongitudinalTrimStatus ; 

} 


operation ResolvePitchControlContent ion is 
components: ; 

inputs: Copi lotFl ight Pa thCommand, CopilotLongitudinalTrimCommand, 
PilotFlightPathCommand, Pi lotLongitudinalTr imCommand; 
outputs : ManualFlightPathCommand; 
description: (* 

Generated by the assignment of the GenerateF light Pat hCommandManual to 
both the pilot and copilot. NOTE: this description is unclear. *); 
end ResolvePitchControlContent ion ; 

{Evidently already defined -- FIX 
operation GeneratePitchActuatorCommand is 
components: ; 

inputs: ManualFlightPathCommand, ActualFlightPath, 

AutoLong i tudina ITr imCommand ; 
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outputs : LongitudinalTrimPosit ion , DesiredPitchActuatorPosition; 
description: (* 

Generates the pitch actuator (elevator and stabilizer) position commands 
based on the flight path angle and longitudinal trim commands. 

*> ? 

end GeneratePitchActuatorCommand; 

) 

{Evidently already defined -- FIX 
operation MovePitchActuators is 
components: ; 

inputs : DesiredPitchActuatorPosition, ExternalForcesOnActuator ; 
outputs: PitchActuatorPosition; 
description: (* 

Receives the desired pitch actuators positions and attempts to move the 
actuators to those positions. *); 
end MovePitchActuators; 

) 

{Evidently already defined -- FIX 
operation ProvideStallAngleOf Attackwarning is 
components: ; 

inputs: ActualFlightPath; 
outputs : Stal lAngleOf Attackwarning; 
description: (* 

Monitors the aircraft flight path state vector and attitudes and 
generates a warning for the crew when approaching the aircraft stall 
angle of atack. *); 
end ProvideStal lAngleOf Attackwarning ; 

} 


(♦NOTE: Inconsistent Names Pp. 133, 134*) 
operation DisplayLongitudinalEnvelopeProtectStatus is 
components : ; 

inputs : LongitudinalEnvelopeProtectStatus ; 

outputs : DisplayedLongitudinalEnvelopeProtectStatus ; 

description: (* 

Results from the allocation of ProvideLongitudinalEnvelopeProtection to 
the FCS with a probability of loss of function of <10E-6. Pitch envelope 
protection has a req for probability of loss of function <10E-9, and thus 
the crew has responsibility for pitch envelope protection when not 
performed by the FCS. Thus the crew must be aware of envelope protect 
status, hence the functional requirement to 
Di splay Long itudinalEnvelopeProtect Status *) ; 
end DisplayLongitudinalEnvelopeProtectStatus ; 

{Evidently already defined -- FIX 
operation ProvideLongitudinalEnvelopeProtection is 
components: ; 

inputs: ActualFlightPath, L imi t edF light Pa thCommand, 

Manua IF 1 ight Pa thCommand ; 

outputs : Limit edFl ight Pa thCommand , LongitudinalEnvelopeProtectStatus ; 
description: (* 

Monitors the aircraft states and modifies the flight path angle command 
as necessary to satisfy the longitudinal envelope protection 
requirements . 
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*) ; 

end ProvideLongitudinalEnve lope Protect ion; 

} 


operation LimitAutoPitchCommands is 
components: ; 

inputs: Aut oF light Pa thCoiranand; 
outputs : Limi tedF light Pat hCommand; 
description: (* 

Limits the autopilot control authority and protects against failures (in 
particular hardover and oscillatory failures in the autopilot. *) ; 
end LimitAutoPitchCommands ; 

{**** pilot Pitch Interface, pp . 137-138 +***) 
operation ConvertForcesToDisplacement is 
components: ; 

inputs: Flight PathCommandForce, F light PathCommandFee lForce ; 
outputs : FlightPathCommandDisplacement ; 
description: (* 

Receives the pilot force and feedback feel force and generates a 
displacement. Note name inconsistency on pp. 137, 138. *) 
end ConvertForcesToDisplacement ; 

operation GenerateLongitudinalFeelForce is 
components : ; 

inputs: FI ightPathAngleCommand; 
outputs : Flight PathCommandFeelForce ; 
description: (* 

Generates a force to feedback to the pilot which is indicative of the 
pitch maneuver and trim commands. Note name inconsistency pp . 137,138. 
*) ; 

end GenerateLongitudinalFeelForce ; 

operation Trans lateFlightPathDisplacementToCommand is 
components: ; 

inputs : FlightPathCommandDisplacement ; 
outputs: FI ightPathAngleCommand; 
description: ( * 

Translates the physical displacement of the pitch controller into a 
flight path command. Note name inconsistency pp. 137,138. *) ; 
end Trans lateFl ight PathDisplacementToCommand; 

operation Trans lateTr imForceToTrimCommand is 
components: ? 

inputs: LongitudinalTrimForce ; 
outputs : LongitudinalTrimCommand; 
description: (* 

Converts the physical displacement generated by the physical force 
exerted by the pilot into a trim command for use by the FCS . Note name 
inconsistency pp. 137,138. *); 
end Trans lateTr imForceToTrimC ommand; 

end FlightControlSystemPitchFunctions ; 
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* Module ControlRoll from pp. 145-168 

★ ★•a-**************************************************************************) 

module ControlRoll; 

from FlyMission import TargetFlightPath, ActualFlightPath, 
ExternalForcesOnActuator ; 

operation ControlRoll is (*pp. 87, 145*) 

components : GenerateRollTrimCommand, DisplayRollTrimPosition, 
GenerateRollActuatorCommand, MoveRo 11 Actuator, 
ProvideRollEnvelopeProtection, GenerateRollRateCoramand, 

Limi t AutoRol lCommands ; 

inputs: TargetFlight Path, ActualFlightPath, ExternalForcesOnRollActuator; 
outputs : DisplayedRol ITr imPosit ion , RollActuatorPosition; 
description: (* 

Performs all functions required to control the lateral axis by 
controlling the roll angle, *) ; 
end ControlRoll; 

operation GenerateRollTrimCommand is 
components: ; 

inputs: (*Note that no inputs is suspicious here*); 

outputs: AutoRol ITr imCommand, ManualRollTrimCommand; 
description: (* 

Generates roll trim commands to offset asymmetries such as engine out, 
engine loss and lateral winds, *); 
end GenerateRollTrimCommand; 

operation DisplayRollTrimPosition is 
components: ; 

inputs: RollTrimPosit ion; 
outputs : DisplayedRol ITr imposition ; 
description: (* 

Displays roll trim position to the crew. *) ; 
end DisplayRollTrimPosition; 

operation GenerateRollActuatorCommand is 
components: ; 

inputs: ManualRollTrimCommand, AutoRol ITr imCommand, ActualFl ightPath, 
LimitedRollRateCommand; 

outputs : RollTrimPosit ion, DesiredRollActuator Posit ion; 
description: (* 

Generates the roll actuator (aileron / spoiler) position commands based 
on roll rate and trim commands. *) ; 
end GenerateRollActuatorCommand; 

operation MoveRoll Actuator is 
components: ; 

inputs : DesiredRoll Actuator Posit ion , ExternalForcesOnRollActuator ; 
outputs : RollActuatorPosition; 
description: (* 

Receives the desired roll actuator position and attempts to move the roll 
actuator to that position. *); 
end MoveRo 11 Actuator ; 

operation ProvideRollEnvelopeProtection is 
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components: ; 

inputs: Manual Roll Rate Command, LimitedAutoRo 11 Command, RollAngle; 
outputs: LimitedRol IRateCommand; 
description: (* 

Monitors actual roll angle and commanded roll rate and modifies the roll 
rate command as necessary to prevent the roll angle from exceeding 
certain limits. *); 
end ProvideRollEnvelopeProtection ; 

operation GenerateRol IRateCommand is 

components : GenerateRol IRateCommandManual , EngageManOrAutoOperat ion , 
GenerateRol IRateCommandAuto , MakeManualVsAutoFl ightModeDec is ion ; 
inputs: TargetFlightPath, ActualFlightPath; 
outputs: AutoRol IRateCommand, ManualRol IRateCommand; 
description: (* 

Compares the target flight path and actual flight path and generates 
necessary roll rate command to drive the actual to the target. *); 
end GenerateRol IRateCommand; 

operation LimitAutoRollCommands is 
components: ; 

inputs: AutoRol IRateCommand ; 
outputs: Limit edAutoRo 11 Command; 
description: (* 

Limits the autopilot control authority and protects against failures (in 
particular hardover or oscillatory failures) in the autopilot. *); 
end LimitAutoRollCommands; 

(* Pp. 151-152 *) 

operation GenerateRol IRateCommandManual is 
components: ; 

inputs: ActualFlightPath, TargetFlightPath, ManualModeEngaged; 
outputs: ManualRol IRateCommand; 
description: ( * 

Involves the generation of ta roll rate command manually (i.e., by the 
crew) as a result of comparing the target and actual flight paths. *) ; 
end GenerateRol IRateCommandManual ; 

operation EngageManOrAutoOperation is 
components: ; 

inputs: ManualFlightMode r AutoFlightMode ; 
outputs: ManualModeEngaged, AutoModeEngaged; 
description: (* 

Activates one of the roll rate generation processes depending on the mode 
engaged . * ) 

end EngageManOrAutoOperation; 

operation GenerateRol IRateCommandAuto is 
components: ; 

inputs: AutoModeEngaged, TargetFlightPath, ActualFlightPath; 
outputs: AutoRol IRateCommand ; 
description: (* 

Involves the generation of a roll rate command automatically (i.e., by 
the computer) as a result of the difference between the actual and target 
flight path. *)? 

end GenerateRol IRateCommandAuto; 
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operation MakeManualVsAutoFlightModeDecision is 
components: ; 

inputs: (* Note no inputs -- seem reasonable here. *); 

outputs: ManualFlightMode, AutoFlightMode; 
description: (* 

Decides whether to generate flight path commands manually or 
automatically. Note — not clear if this should be the same as operation 
of the same in ControlPitch module. *) ; 
end MakeManualVsAutoFl ightModeDecision ; 

object AutoRollRateCommand is 

operations: GenerateRollRateCommand, LimitAutoRollCommands , 
GenerateRollRateCommandAuto; 
descript ion : ( * 

Roll rate command generated in an automated fashion (i.e., by an 
autofLight computer) . *) ; 
end AutoRollRateCommand; 

object AutoRollTrimCommand is 

operations: GenerateRollTrimCommand, GenerateRollActuatorCommand; 
description: ( * 

Roll trim command generated automatically for use during enhanced manual 
control and autoflight control. *); 
end AutoRollTrimCommand; 

ob j ec t Des i r edRo 1 lActuat or Pos i t ion i s 

operations : GenerateRollActuatorCommand, MoveRo 11 Actuator ; 
description: (* 

The desired roll actuator position such that the limited roll rate 
command is achieved. *) ; 
end Des iredRollActuator Position- 

object DisplayedRollTrimPosition is 

operations: ControlMissionFlight , ControlRoll, DisplayRollTrimPosition, 
FlightControlSystemRollFunctions , DisplayRollTrimStatus ; 
description: (* 

The roll trim position displayed to the crew. *) ; 
end DisplayedRollTrimPosition; 

object Ext ernalForcesOnRol lActuat or instance of ExternalForcesOnActuator is 
operations: ControlRoll, MoveRol 1 Actuator , 

FlightControlSystemRollFunctions ; 
description: (* 

All forces (in particular environmental forces) other than the actuation 
forces acting on the aerodynamic braking and roll actuation system. *); 
end ExternalForcesOnRol lActuator ; 

object LimitedAutoRo 11 Command is 

operations : ProvideRollEnvelopeProtect ion, LimitAutoRollCommands ; 
description: ( * 

The auto roll rate command limited to the autoflight roll authority. *) ? 
end LimitedAutoRollCommand; 

object LimitedRollRateCommand is 

operations : GenerateRollActuatorCommand, ProvideRollEnvelopeProtection; 
description: ( * 
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The roll rate command limited such that the envrlope protection criteria 
are not violated. *); 
end LimitedRol IRateCommand; 

object ManualRollRateCommand is 

operations : ProvideRollEnvelopeProtection, GenerateRollRateCommand, 

GenerateRol IRateCommandManual , ResolveRollControlContent ion ; 
description: (* 

Roll rate command generated manually (i.e., by the crew). *) ; 
end ManualRollRateCommand; 

object ManualRollTrimCommand is 

operations: GenerateRol ITrimCommand, GenerateRol 1 Actuator Command; 
description: (* 

The roll trim command as generated by the crew for normal control . The 
trim provides a steady state roll angle to offset asymmetries. *) ; 
end ManualRollTrimCommand; 

object RollActuatorPosit ion is 

operations: UpdateAircraf tState, ControlRoll, MoveRoll Actuator , 

FlightControlSystemRollContext, FlightControlSystemRollFunct ions ; 
description: (* 

Position of the system which makdes the aircraft roll. *); 
end Rol lActuator Posit ion; 

object RollAngle is 

operations : ProvideRollEnvelopeProtection, 

FlightControlSystemRollFunct ions ; 
description: (* 

Airplane roll angle. *) ; 
end RollAngle; 

object RollTrimPosit ion is 

operations : DisplayRollTr imposition , GenerateRollActuatorCommand; 
description: (* 

Position of the roll trim actuator. *) ? 
end RollTrimPosit ion; 

end ControlRoll; 


(****★★****★★★*★★♦★*★*★★★★★*★*★★★★★★★* + ★** + *♦************************** ******** 

* Module FlightControlSystemRollFunct ions from pp. 153-168 

★ ★★★★★♦★★★★★★★★★★★★★★★★★★★★★★★****** + + *******' fc *******‘'*‘* , *********** , *'**** ,<f **^^'* r ) 
module FlightControlSystemRollFunct ions ; 

operation FlightControlSystemRollContext is 

components : PerformPilotFunctions , Per f ormCopilotFunct ions, 

FlightControlSystemRollFunct ions, Perf ormAutoFlightSystemFunct ions ; 
inputs: (* Unclear -- see pg. 153. *); 

outputs: RollActuatorPosition; 

description: ( * Unclear -- see pp. 153-154. Also cf . 

FlightControlSystemPitchContext in module 
FlightControlSystemRol lFunctions above. *); 
end FlightControlSystemRollContext ; 
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operation FlightControlSystemRollFunct ions is 

components : ProvidePilotRollInterface, ProvideCopilotRollInterface, 
DisplayRollTrimStatus , ResolveRollControlContent ion, 
GenerateRollActuatorcommand, MoveRollActuator , 

Di sp lay RollEnve lope Protect Status , ProvideRollEnvelopeProtection, 
LimitAutoRollCommands ; 

inputs: Pi lotRollTrimForce , PilotRollRateForce, CopilotRol IRateForce, 
CopilotRollTrimForce, AutoRollTr imCmd, AutoRollRateCmd 
(* plus maybe the following due to ambiguity on pp. 153 versus 157: *) 

, ActualFlightPath, ExternalForcesOnActuator , RollAngle ( *Note that the 
RollAngle input here is seemingly inconsistent with the ActualFlightPath 
input in the comparable position in the FlightContorlSystemPitchFunct ions 
on pg. 133 . *) ; 

outputs: PilotRRCmdFeelForce, CopilotRRCmdFeelForce, 
DisplayedRollTrimPosition , RollActuatorPosit ion, 

DisplayedRollEnvelopeProtectStatus ( *Note that as with inputs, these are 
inconsistent on pp. 153 versus 157.*); 
description: {* 

Note that the following description is taken from ASCT1 page 154, but it 
is not a fully accurate description of this operation as it is defined in 
WSRSL . See the remarks in the first-year of the report. Cf. also 
description of operation FlightControlSystemPitchFunctions above. 

Contains all the flight control functions assigned to the FCS . As a 
result of this assignment several new processes are created. Some of 
these are interface functions and others are as a result of how functions 
were allocated to the AEs . (I.e., Envelope protection was assigned to 

the FCS with a probability of failure <10E-6. However this function 
requires <10E-09. Therefore the pilot and copilot must perform envelope 
protection when not being performed by the FCS. Thus a pilot indication 
function of the status of envelope protection is generated.) Pilot and 
copilot can command roll rate, thus there is a functional requirement to 
resolve control contention. *) ; 
end FI ightCont rolSy stemRol lFunct ions ; 

operation ProvidePilotRollInterface is 

components: ConvertForcesToDisplacement , GenerateRollFeelForce, 

Trans lateRRDisplToRRCommand, Trans lateTr imForceToTrimCommand; 
inputs: PilotRollTrimForce, PilotRollRateForce; 

outputs : PilotRRCmdFeelForce, PilotRol lTrimCommand, Pi lot Roll Rat eCommand; 
description: (* 

Converts the signal received from the pilot in the form of a force 
exerted by the pilots hand into a roll rate signal to be used by the FCS. 
It also provides the pilot with a feedback feel force proportional to the 
commanded roll rate. *) ? 
end ProvidePilotRollInterface; 

operation ProvideCopilotRollInterface is 
components: ; 

inputs: CopilotRollRateForce , CopilotRollTrimForce; 
outputs: CopilotRRCmdFeelForce, Copilot Roll Rat eCommand, 

Cop i lot Rol ITr imCommand ; 
description: {* 

Provides the same function for the copilot as the 
ProvidePilotRollInterface does for the pilot. *) ; 
end ProvideCopilotRollInterface; 
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operation DisplayRollTr imStatus is 
components: ; 

inputs : RollTrimPosition; 
outputs : DisplayedRollTr imposition ; 
description: (* 

Displays roll trim position to the crew. Note naming inconsistency on 
pp. 157 vs. 158. *) ; 
end DisplayRollTrimStatus ; 

operation ResolveRollControlContent ion is 
components: ; 

inputs : PilotRol IRateCommand, Pi lot Roll Tr imCommand, Copi lot Rol IRateCommand, 
Cop i 1 o t Ro 1 1 Tr imCommand ; 

outputs: ManualRol IRateCommand, ManualRollTrimCmd; 
description: (* 

Generated by the assignment of the Generate Roll Rate Cmd Manual to both 
the pilot and copilot. *) 
end ResolveRollControlContent ion ; 

operation GenerateRollActuatorCommand is 
components: ; 

inputs: LimitedRol IRateCommand, ManualRollTrimCmd, ActualFl ightPath, 
AutoRollTrimCmd; 

outputs : RollTrimPosition, DesiredRol 1 Actuator Pos ; 
description: (* 

Generates the roll actuator (aileron / spoiler) position commands based 
on roll rate and trim commands. *) ; 
end GenerateRollActuatorCommand; 

operation MoveRollActuator is 
components: ; 

inputs: DesiredRol lActuatorPos, Externa lForcesOnActuator ; 
outputs : RollActuatorPosit ion; 
description: (* 

Receives the desired roll actuator position and attempts to move the roll 
actuator to that position. *) ; 
end MoveRollActuator; 

operation DisplayRollEnvelopeProtectStatus is 
components: ; 

inputs : RollEnvelopeProtectStatus ; 

outputs : DisplayedRollEnvelopeProtectStatus ; 

description: (* 

Results from the allocation of Provide Roll Envelope Protection to the 
FCS with a probability of loss of function of <10E-6. Provide 
RollEnvelopeProtection has a probability of loss of function of < 10E-9 
and thus the crew has responsibility for roll envelope protection when 
not performed by the FCS. Thus the crew must be aware of envelope 
protect status, hence the function requirement to Display Roll Envelope 
Protect Status. *); 
end DisplayRollEnvelopeProtectStatus ; 

operation ProvideRollEnvelopeProtect ion is 
components: ; 

inputs: RollAngle (*Note:Why not ActualFlightPath as in 

operation ProvideLongitudinalEnvelopeProtect ion on pg. 133*) , 
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LimitedAutoRo 11 command, ManualRo 11 Rat eCommand; 
outputs: LimitedRollRateCommand, RollEnvelopeProtectStatus ; 
description: (* 

Monitors actual roll angle and commanded roll rate and modifies the roll 
rate command as necessary to prevent the roll angle from exceeding 
certain limits* *); 
end ProvideRollEnvelopeProtection; 

operation Limit AutoRo 11 Commands is 
components: ; 

inputs: AutoRo 11 Rat eCommand ; 
outputs: LimitedAutoRo 11 Command; 
description: (* 

Limits the autopilot control authority and protects against failures (in 
particular hardover or oscillatory failures) in the autopilot. *) ; 
end Lim it AutoRo 11 Commands ; 

(**★* pilot Roll Interface, pp. 161-162 ***+) 
operation ConvertForcesToDisplacement is 
components: ; 

inputs: RollRateForce , RRCmdFeelForce; 
outputs: RollRateCmdDispl; 
description: (* 

Receives the pilot force and feedback feel force and generates a 
displacement. *) ; 
end ConvertForcesToDisplacement ; 

operation GenerateRollFeelForce is 
components: ; 
inputs: RollRat eCommand; 

outputs: RRCmdFeelForce, RRCmdFeelForce; 
description: ( * 

Generates a force to feedback to the pilot which is an indication of the 
commanded roll rate. *) ; 
end GenerateRollFeelForce; 

operation Trans lateRRDisplToRRCommand is 
components: ; 
inputs: RollRateCmdDispl; 

outputs: Roll Rat eCommand, Roll Rat eCommand; 
description: ( * 

Translates the sidestick controller displacement to a roll rate command. 

*> ; 

end Trans lateRRDi splToRRCommand; 

operation Trans la teTrimForceToTrimCommand is 
components: ; 

inputs : RollTrimForce ; 
outputs: RollTrimCommand; 
description: {* 

Converts the physical displacement generated by the physical force 
exerted by the pilot into a trim command for use by the FCS . * ) ; 
end Trans lateTrimForceToTrimCommand ; 

end FlightControlSystemRollFunctions; 
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( *★*****★*★**★★ *********************** 

* Module ControlYaw from pp. 169 - 193 

★★★★•fr*********************************** 




module ControlYaw; 

operation ControlYaw is 

components : GenerateDirectionalTrimCommand, DisplayDirect ionalTr imposition, 
GenerateYawActuatorCommand, EngineOutControlAugmentat ion , 

MoveYawActuator # ProvideYawEnvelopeProtection, GeneateSideslipCommand, 
Limit AutoSideslipCommands; 

inputs: TargetFlightPath, ActualFlightPath, EngineThrust , 

ExternalForcesOnYawActuator, SideslipAngle (* Inconsistent pp . 87 versus 

169 *); 

outputs: DisplayedDirectionalTrimPos, YawActuatorPosition; 

description : 

(* Controls the aircraft directional axis. *); 
end ControlYaw; 


operation GenerateDirectionalTrimCommand is 
components: ; 

inputs: (* None -- suspicious. *) ; 

outputs: ManualDirect ionalTrimCmd, AutoDirect ionalTrimCmd; 

description: (* . 

Generates directional trim commands to offset asymmetries such as engine 
out and lateral winds. Note: inconsistent names pp. 1. *) 7 
end GenerateDirectionalTrimCommand; 


operation DisplayDirectionalTrimPosition is 
components : ; 

inputs : DirectionalTrimPosition; 

outputs : DisplayedDirectionalTrimPos; 

description: (* . 

Displays the position for the directional trim actuator to the crew. ) ; 

end DisplayDirectionalTrimPosition; 

operation GenerateYawActuatorCommand is 
components: ; 

inputs : LimitedSideslipCommand, ManualDirect ionalTrimCmd, 

AutoDirect ionalTrimCmd, ActualFlightPath, ECAYawCommand ; 
outputs: DirectionalTrimPosition, DesiredYawActuator Posit ion; 

description: (* , 

Generates the sideslip actuator (rudder) position command based on the 
limited sideslip command, directional trim command and the engine out 
control augmentation command. *) ; 
end GenerateYawActuatorCommand; 

operation EngineOutControlAugmentat ion is 
components: ; 

inputs : EnginesThrust ; 

outputs : ECAYawCommand; 

description: (* , 

Monitors the engine thrust and generates a yaw command to assist the 
pilot in compensation for an engine out situation. In particular it 
helps relieve pilot workload in takeoff and go around which are high 
pilot workload situations. *); 
end EngineOutControlAugmentat ion; 
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operation MoveYawActuator is 
components : ; 

inputs : Des i redY awActuator Posit ion r ExternalForcesOnYawActuator 7 
outputs: YawActuatorPosition; 
description: (* 

Receives the desired yaw actuator position and attempts to move the yaw 
actuator to that position. *) ; 
end MoveYawActuator; 

operation ProvideYawEnvelopeProtect ion is 
components : ; 

inputs : Sides lipAngle, ManualSideslipComand, LimitedAutoSideslipCommand; 
outputs : LimitedS ides lipCommand; 
description: (* 

Monitors the commanded sideslip and the actual sideslip and modifies the 
sideslip command to prevent the sideslip angle from exceeding unsafe 
limits . * ) ; 

end ProvideYawEnve lope Protection ; 

operation GeneateS ides lipCommand is 
components: ; 

inputs : Target Flight Path, ActualFl ightPath; 
outputs: AutoS ides lipCommand, Manuals ides lipCommand; 
description: (* 

Involves the generation of sideslip commands to allow for decrab for 
landings, performing coordinated turns and offsetting certain 
asymmetries. *) ? 
end GeneateS ides lipCommand ; 

operation LimitAutoSideslipCommands is 
components: ; 

inputs: Au toS ides lipCommand ; 
outputs : LimitedAutoSideslipCommand; 
description: (* 

Limits the autopilot control autority and protects against failures (in 
particular hardover or oscillatory failures) in the autopilot. *); 
end LimitAutoSideslipCommands; 

operation Generates ideslipCmdManual is 
components: ; 

inputs : ActualFl ightPath, TargetntFl ight Pat hNBManualS ides lipCommand, 
ManualModeEngaged ; 
outputs: Manuals ides lipCommand; 
description: ( * 

Involves the generation of a sideslip command manually (i.e., by the 
crew) as a result of comparing the actual and desired flight path 
(including attitudes). *); 
end GenerateSideslipCmdManual ; 

(* NOTE: Next to ops are generic and should, accordingly, appear in another 
module. Cf. GenerateRol IRateCommand (pg. 151) and 
GenerateFlightPathCommand (pg. 127). *) 
operation MakeManualVsAutoFlightModeDecision is 
components: ; 
inputs: none; 

outputs: ManualFlightMode, AutoFlightMode; 
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description: (* *) ; 

end MakeManual VsAutoFl ightModeDec i s ion ; 

operation EngageManOr AutoOperation is 
components: ; 

inputs: ManualFlightMode , AutoFl ightMode ; 
outputs: ManualModeEngaged, AutoModeEngaged; 
description: {* 

Involves the generation of a sideslip command automatically (i.e., by a 
computer. *); 

end EngageManOr AutoOperation; 

operation GenerateSideslipCmdAuto is 
components: ; 

inputs: TargetFlightPath, ActualFlight Path, AutoModeEngaged; 
outputs: AutoSide s 1 ipCommand; 
description: (* 

*); 

end GenerateSideslipCmdAuto; 

object ExternalForcesOnYawActuator instance of ExternalForcesOnActuator is 
operations: ControlMissionFlight , ControlRoll, ControlYaw, MoveYawActuator ; 
description: (* 

All forces (in particular environmental forces) other than 
actuation forces actin on the yaw actuation system. *); 

end ExternalForcesOnYawActuator ? 

end ControlYaw; 

^*+****+***+*+*********************+**+***********************^**************** 
* Module FlightControlSystemYawFunctions from pp. 179-193 
+*★★*★★*★******★★**★★★*★****★*★*★***★***★**★*★*★****+************************) 
module FlightControlSystemYawFunctions ; 

operation FlightControlSystemYawContext is 

components: Per f ormPilotFunctions , Per formCopilotFunct ions , 

FlightControlSystemYawFunctions # PerformAutoFlightSystemFunct ions ; 
inputs: (* Unclear -- see pg . 179. *) ; 

outputs: YawActuatorPosition; 
description: (* *) ; 

end FlightControlSystemYawContext ; 

operation FI ightControlSystemYawFunct ions is 

components : ProvidePilotYawInter f ace , ProvideCopilotYawInterface , 

DisplayDirect ionalTr imposition, ResolveYawControlContent ions , 
GenerateYawActuatorCommand, EngineOutControlAugmentation, 

MoveYawActuator, DisplayEnvelopeProtectStatus , 

ProvideYawEnvelopeProtect ion , LimitAutoSideslipCommands ; 
inputs: PilotDirectionalTrimForce , PilotSideslipForce, 
CopilotDirectionalTrimForce, Copilots ides lipForce, 

AutoDirect ionalTr imCmd, AutoS ides 1 ipCommand 

(* plus maybe the following due to ambiguity on pp. 179 versus 183: *) 

# ActualFlight Path, EngineThrust , ExternalForcesOnActuator, 

SideslipAngle; 
outputs : ; 

description: {* *}? 
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end FI igh t Con trolSystemYawFunct ions ; 

operation ProvidePilotYawInterface is 

components : ConvertForceToDisplacement , GenerateSideslipFeelForce , 
Translates ides lipDisplCmd, Trans la teDirecTr imForceToCommand ; 
inputs : Pi lots ides 1 ipForce , PilotDirect ionalTrimForce ; 
outputs : PilotSides 1 ipCmdFeelForce , PilotDirectionalTrimCmd, 

Pi lots ides 1 ipCommand ; 
description: {* 

Converts the signal received from the pilot in the form of a force 
exerted by the pilot's hand into a sideslip signal to be used by the FCS. 
It also provides the pilot with a feedback force proportional to the 
command sideslip angle. *) ; 
end ProvidePilotYawInterface; 

operation ProvideCopilotYawInterface is 
components: ; 

inputs : CopilotSideslipForce, CopilotDirect ionalTrimForce , 

Copilots ides 1 ipCommand, CopilotDirect ionalTrimCmd; 
output s : Copi lot Sides 1 ipCmdFee lForce ? 
description: (* 

Provides the same function for the copilot as the 
ProvidePilotYawInterface does for the pilot. *); 
end ProvideCopilotYawInterface; 

operation DisplayDirectionalTrimPosition is 
components: ; 

inputs : Direct ionalTr imposition ; 
outputs : DisplayedDirect ionalTrimPos ; 
description: (* 

Displays the position of the directional trim actuator to the crew. *); 
end DisplayDirectionalTrimPosition; 

operation ResolveYawControlContent ions is 
components : ; 

inputs : Pi lots ides 1 ipCommand, PilotDirectionalTrimCmd, 

Copi lot S ides 1 ipCommand , Copi lotDirect ionalTr imCmd ; 
outputs : ManualSidesl ipCommand, ManualDirect ionalTr imCmd ; 
description: (* 

Generated as a result of the assignment of the Generates ides lipCmdManual 
to both the pilot and copilot. *) ; 
end ResolveYawControlContent ions ; 

operation GenerateYawActuatorCommand is 
components: ; 

inputs: LimitedS ides 1 ipCommand, ManualDirect ionalTrimCmd, ActualFlightPath, 
AutoDirect ionalTr imCmd, ECAYawCommand; 
outputs: Direct ionalTrimPosition, Des i r edYawActuat or Posit ion ; 
description: (* 

Generates the sideslip actuator (rudder) position command based on the 
limited sideslip command, directional trim command and the engine out 
control augmentation command. *) ; 
end GenerateYawActuatorCommand; 

operation EngineOut Control Augmentation is 
components : ; 
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inputs: EnginesThrust ; 
outputs: ECAYawCommand; 
description: (* 

Monitors the engine thrust and generates a yaw command to assist the 
pilot in compensating for an engine out situation. In particular it 
helps relieve pilot workload in takeoff and go around which are high 
pilot workload situations. *) ; 
end EngineOutControlAugmentation; 

operation MoveYawActuator is 
components: ; 

inputs: Des iredYawActuatorPosit ion, ExternalForcesOnActuator ; 
outputs: YawActuat or Posit ion; 
description: (* 

Receives the desired yaw actuator position and attempts to move the yaw 
actuator to that position. *); 
end MoveYawActuator; 

operation DisplayYawEnvelopeProtectStatus is 
components: ; 

inputs : YawEnvelopeProtectStatus ; 

outputs : DisplayedYawEnvelopeProtectStatus ; 

description: (* 

Results from the allocation of ProvideYawEnvelopeProtection to the FCS 
with a probability of loss of function < 10E-6. YawEnvelopeProtection 
has a proability of loss of function < 109E-9 and thus the crew has 
responsibility for yaw envelope protection when not performed by the FCS, 
hence the crew must be aware of the envelope protection status which 
leads to this functional requirement. *) ; 
end DisplayYawEnvelopeProtectStatus ; 

operation ProvideYawEnvelopeProtection is 
components: ; 

inputs: SideslipAngle, LimitedAutoSideslipCommand, Manuals ides lipCommand; 
outputs: Limi tedS ides lipCommand, YawEnvelopeProtectStatus; 
description: ( * 

Monitors the commanded sideslip and the actual sideslip and modifies the 
sideslip command to prevent the sideslip angle from exceeding unsafe 
limits . * ) ; 

end ProvideYawEnvelopeProtection; 

operation Limi t AutoS ides lipCommands is 
components : ; 

inputs: AutoS ides lipCommand; 
outputs : LimitedAutoSideslipCommand; 
description: ( * 

Limits the autopilot control authority and protects against failures (in 
particular hardover or oscillatory failures) in the autopilot. *) ; 
end Limi tAutoS ides 1 ipCommands ; 

(*★** pilot Yaw Interface, pp. 187-188 ****) 

operation ConvertForceToDisplacement is 
components: ; 

inputs: SideslipForce , SideslipFeelForce ; 
outputs: SideslipCommandDispl ; 
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description: (* 

Receives the pilot force and feedback feel force and generates a 
displacement . *) ; 
end ConvertForceToDisplacement ; 

operation GenerateSideslipFeelForce is 
components : ; 

inputs : SideslipCommand; 
outputs: SideslipFeelForce ; 
description: (* 

Generates a force to feedback to the pilot which is an indication of the 
commanded sideslip angle. *) ? 
end GenerateSideslipFeelForce; 

operation Trans lateSideslipDisplCmd is 
components : ; 

inputs : Sidesl ipCommandDispl ; 
outputs : SideslipCommand; 
description: (* 

Translates the displacement (rudder pedal) to a sideslip command. *); 
end TranslateSideslipDisplCmd; 

operation Trans 1 at eDirecTrimForceToCommand is 
components : ; 

inputs : Direct ionalTr imForce ; 
outputs : Direct ionalTr imCommand; 
description: ( * 

Converts the physical displacement generated by the physical force 
exerted by the pilot into a trim command for use by the FCS. *); 
end Tran slat eDirecTrimFor ceToCommand; 

end FlightControlSystemYawFunct ions ; 


( 




* Module ControlAerodynamicBraking from pp. 198-219, and AE diagrams 

* pp. 218 - 219 
**★★★**★★*★**★ + *********■** 

module FlightControlSystem; 


* pp. 218 - 219 ************************) 


object FlightControlSystem is 

components: FlightControlComputer , SpeedBrakeController , 

HightLif tCont roller , Displays, HightLIftSystem, RudderSystem, 

Spoi lerSys t em, Ai leronSystem, ElevatorStabilizerSystem, 

SidestickCont rollers , RudderPedals ; 
description: (* 

The primary agent, along with Crew members, to execute flight control 
operations * ) ; 
end FlightControlSystem; 

operation Perf ormAutoFlightSystemFunct ions is 
components : ; 

inputs : ; 

outputs: ; 

description: {* 

The AEAuto-FlightSystem ''Architectural Element''. *) ; 
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end Per f ormAutoF light SystemFunct ions ; 


object class Computer is 
components: ; 

operations: ; 

description: (* *) ; 

end Computer; 

object class Sensor is 
components: ; 

operations: ? 

description: {* *) ; 

end Sensor; 

object class SurfaceActuator is 
components: ; 

operations: ; 

description: (* *) ; 

end SurfaceActuator; 

object class Command is 

components: HowActuated, Af f ectedAircraf tComponents (* ... *) ; 

description: (* 

The high-level class of control commands that are generated by either 
the crew or flight control system. *) ; 
end Command; 


(****★ control System Signal Transmission (F.C.S.l), Pg. 199 *****) 
object Communicant is 

components: Computer | Sensor | SurfaceActuator; 
operations: ; 
description: (* *); 

(* One of the classes of objects between which data communications take 
place. *) 
end Communicant; 

object DataBus is 
components: ; 

operations: TransmitData : (Communicant, Communicant, DataBus) -> (boolean) 

description: (* *) ; 

end DataBus; 

(**★★* control System Computation Requirements (F.C.C.l), Pg . 223 +**♦*) 

var cml, cm2: Communicant; 

db: DataBus; 
axiom 

forall (cml, cm2 : Communicant , db: DataBus) 
if TransmitData ( cml , cm2, db) 

then (db.Type = Electrical or db.Type = Optical) and 
(db. Speed > MinimumDataCommSpeed) ; 

end FlightControlSystem; 
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